[WIP] Add the secrets management documentation #11396
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OskarStark
reviewed
Apr 10, 2019
|
cc @mpdude as you wrote a blog post about this at EUFOSSA, you probably are interested in reviewing this as well 😃 |
jderusse
force-pushed
the
secrets
branch
2 times, most recently
from
1ae8ee6 to
526e6ec
Compare
jderusse
force-pushed
the
secrets
branch
3 times, most recently
from
3dc07e9 to
ffbf04c
Compare
Simperfit
reviewed
Apr 18, 2019
Simperfit
reviewed
Apr 18, 2019
Simperfit
reviewed
Apr 18, 2019
|
Comments addressed. Thanks for the review @noniagriconomie, @Simperfit and @javiereguiluz |
boite
reviewed
Jul 15, 2019
javiereguiluz
added
the
Waiting Code Merge
jderusse
force-pushed
the
secrets
branch
2 times, most recently
from
6443d0e to
713dd02
Compare
jderusse
force-pushed
the
secrets
branch
2 times, most recently
from
69c8b5e to
2746a57
Compare
jderusse
force-pushed
the
secrets
branch
2 times, most recently
from
1f7105e to
f656516
Compare
fabpot
added a commit
to symfony/symfony
that referenced
this pull request
Oct 20, 2019
…ecret:...)%` processor to deal with secrets seamlessly (Tobion, jderusse, nicolas-grekas) This PR was merged into the 4.4 branch. Discussion ---------- [FrameworkBundle] Add `secrets:*` commands and `%env(secret:...)%` processor to deal with secrets seamlessly | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #27351 | License | MIT | Doc PR | symfony/symfony-docs/pull/11396 This PR continues #31101, please see there for previous discussions. The attached patch has been fine-tuned on nicolas-grekas#33 with @jderusse. This PR is more opinionated and thus a lot simpler than #31101: only Sodium is supported to encrypt/decrypt (polyfill possible), and only local filesystem is available as a storage, with little to no extension point. That's on purpose: the goal here is to provide an experience, not software building blocks. In 5.1, this might be extended and might lead to a new component, but we'd first need reports from real-world needs. Having this straight-to-the-point in 4.4 will allow gathering these needs (if they exist) and will immediately provide a nice workflow for the need we do want to solve now: forwarding secrets from dev to prod using git in a secure way. The workflow this will allow is the following: - public/private key pairs are generated in the `config/secrets/%kernel.environment%/` folder using `bin/console secrets:generate-keys` - for the prod env, the corresponding private key should be deployed to the server using whatever means the hosting provider allows - this key MUST NOT be committed - the public key is used to encrypt secrets and thus *may* be committed in the git repository to allow anyone *that can commit* to add secrets - this is done using `bin/console secrets:set` DI configuration can reference secrets using `%env(secret:...)%` in e.g `services.yaml`. There is also `bin/console secrets:remove` and `bin/console debug:secrets` to complete the toolbox. In terms of design, vs #31101, this groups the dual "encoder" + "storage" concepts in a single "vault" one. That's part of what makes this PR simpler. That's all folks :) Commits ------- c4653e1 Restrict secrets management to sodium+filesystem 02b5d74 Add secrets management 8c8f623 Proof of concept for encrypted secrets
|
Just dropping a note - need to talk about symfony/symfony#34295 (comment) (should be added before @jderusse if it's cool with you, I can "take over" this PR soon, review it, and finish it. Nicolas has been keeping me up to date with the latest secrets tweaks, so I have an understanding of the current state. |
|
@weaverryan Feel free to change that PR. beware, many thing are changing right now it the PR you gave |
|
Hi! What is the status of this PR? I would really like to have documentation on the great secrets management feature. Even if it's not complete, if what is in here is correct, I think we should merge it asap. We can then create more PRs and issues to document the missing bits. |
|
@weaverryan Are you still working on this? Should I rebase and update my PR? |
|
I'm working on this - will get it done shortly - it's a big priority for me too :). I don't want to merge as-is, because much changed in the late stages of the feature, so I'm worried it's not accurate enough to be there yet. |
freiondrej
reviewed
Dec 5, 2019
| Local secrets | ||
| ------------- | ||
|
|
||
| It's common for developpers to use their own privates secrets (for |
There was a problem hiding this comment.
Suggested change
| It's common for developpers to use their own privates secrets (for | |
| It's common for developers to use their own privates secrets (for |
KasparRosin
reviewed
Jan 2, 2020
| Local secrets | ||
| ------------- | ||
|
|
||
| It's common for developpers to use their own privates secrets (for |
There was a problem hiding this comment.
Suggested change
| It's common for developpers to use their own privates secrets (for | |
| It's common for developpers to use their own private secrets (for |
cawolf
reviewed
Jan 14, 2020
|
|
||
| .. code-block:: terminal | ||
|
|
||
| $ php bin/console secrets:remove DATABASE_PASSWORD |
There was a problem hiding this comment.
Suggested change
| $ php bin/console secrets:remove DATABASE_PASSWORD | |
| $ php bin/console secrets:list DATABASE_PASSWORD |
|
Finished finally (sorry!) over at #12958 |
weaverryan
added a commit
that referenced
this pull request
Jan 27, 2020
…rryan) This PR was merged into the 4.4 branch. Discussion ---------- Symfony 4.4 secrets management system Hi! This completes #11396 I also made some changes to the section in `configuration.rst` about environment variables to make sure that it read well with the secrets stuff. Thanks to @jderusse for doing the vast majority of the work. Cheers! Commits ------- cd066cc tweaks thanks to review 75e5ae6 finishing the secrets documentation 82d2058 Add the secret documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a drat of the new secret management defined during the EU-FOSSA hackathon .
The PR is not yet ready, but would give an idea how it works